| CVE | CVE-2021-24349 |
|---|---|
| CVSS | Medium (6.1) |
| Publicly Published | May 26, 2021 |
| Last Updated | January 22, 2024 |
| Researcher |
Satyender Yadav
|
This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.
References| Software Type | Plugin |
|---|---|
| Software Slug | gallery-from-files (view on wordpress.org) |
| Patched? | No |
| Affected Version |
|
| Patched Version |
|
Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy.
License Detail.